CVE-2026-1104 is a critical authorization bypass vulnerability classified under CWE-862 affecting the FastDup – Fastest WordPress Migration & Duplicator plugin. The vulnerability stems from missing capability checks on REST API endpoints, which are intended to restrict backup creation and download operations to authorized users only. However, in all versions up to and including 2.7.1, authenticated users with Contributor-level permissions or higher can exploit this flaw to generate and download full backups of the WordPress site. These backups include the entire WordPress installation, encompassing database exports and configuration files, which contain sensitive information such as database credentials, site configurations, and potentially user data. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and only requires privileges equivalent to a Contributor (PR:L), without any user interaction (UI:N). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), reflected in the CVSS score of 8.8. This vulnerability could lead to full site compromise, data leakage, and potential further exploitation. No patches were linked at the time of publication, and no known exploits have been reported in the wild, but the risk remains significant due to the ease of exploitation and the sensitive nature of the data accessible through the backups.

For European organizations, this vulnerability poses a substantial risk to the confidentiality and integrity of their WordPress-based websites. Unauthorized backup downloads can expose sensitive business data, customer information, and internal configurations, potentially leading to data breaches and compliance violations under GDPR. The availability of full backups to unauthorized users also increases the risk of site defacement, ransomware attacks, or further exploitation by adversaries who gain insight into the site’s architecture and credentials. Organizations relying on WordPress for e-commerce, government services, or critical communications could face operational disruptions and reputational damage. The vulnerability’s exploitation requires only Contributor-level access, which is commonly granted to content creators or external collaborators, increasing the attack surface. Given the widespread use of WordPress in Europe, especially in countries with large digital economies, the potential impact is broad and severe.

Immediate mitigation steps include restricting Contributor-level access to trusted users only and auditing existing user roles to minimize unnecessary permissions. Organizations should monitor REST API usage logs for unusual backup creation or download activities. Since no patch was available at the time of reporting, disabling or removing the FastDup plugin temporarily can prevent exploitation. Once a security update is released by ninjateam, prompt application of the patch is critical. Additionally, implementing Web Application Firewalls (WAFs) with rules to detect and block unauthorized REST API calls related to backup operations can provide an additional layer of defense. Regular backups should be maintained separately and securely to avoid reliance on the vulnerable plugin. Security teams should also educate content contributors about the risks of privilege misuse and enforce strong authentication mechanisms to reduce the risk of compromised accounts.